Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "Xing, Cedric" <cedric.xing@xxxxxxxxx>
Subject: Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
From: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
Date: Fri, 14 Jun 2019 10:53:39 -0700
Cc: Stephen Smalley <sds@xxxxxxxxxxxxx>, "linux-security-module@xxxxxxxxxxxxxxx" <linux-security-module@xxxxxxxxxxxxxxx>, "selinux@xxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxx>, "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>, "linux-sgx@xxxxxxxxxxxxxxx" <linux-sgx@xxxxxxxxxxxxxxx>, "jarkko.sakkinen@xxxxxxxxxxxxxxx" <jarkko.sakkinen@xxxxxxxxxxxxxxx>, "luto@xxxxxxxxxx" <luto@xxxxxxxxxx>, "jmorris@xxxxxxxxx" <jmorris@xxxxxxxxx>, "serge@xxxxxxxxxx" <serge@xxxxxxxxxx>, "paul@xxxxxxxxxxxxxx" <paul@xxxxxxxxxxxxxx>, "eparis@xxxxxxxxxxxxxx" <eparis@xxxxxxxxxxxxxx>, "jethro@xxxxxxxxxxxx" <jethro@xxxxxxxxxxxx>, "Hansen, Dave" <dave.hansen@xxxxxxxxx>, "tglx@xxxxxxxxxxxxx" <tglx@xxxxxxxxxxxxx>, "torvalds@xxxxxxxxxxxxxxxxxxxx" <torvalds@xxxxxxxxxxxxxxxxxxxx>, "akpm@xxxxxxxxxxxxxxxxxxxx" <akpm@xxxxxxxxxxxxxxxxxxxx>, "nhorman@xxxxxxxxxx" <nhorman@xxxxxxxxxx>, "pmccallum@xxxxxxxxxx" <pmccallum@xxxxxxxxxx>, "Ayoun, Serge" <serge.ayoun@xxxxxxxxx>, "Katz-zamir, Shay" <shay.katz-zamir@xxxxxxxxx>, "Huang, Haitao" <haitao.huang@xxxxxxxxx>, "andriy.shevchenko@xxxxxxxxxxxxxxx" <andriy.shevchenko@xxxxxxxxxxxxxxx>, "Svahn, Kai" <kai.svahn@xxxxxxxxx>, "bp@xxxxxxxxx" <bp@xxxxxxxxx>, "josh@xxxxxxxxxxxxxxxx" <josh@xxxxxxxxxxxxxxxx>, "Huang, Kai" <kai.huang@xxxxxxxxx>, "rientjes@xxxxxxxxxx" <rientjes@xxxxxxxxxx>, "Roberts, William C" <william.c.roberts@xxxxxxxxx>, "Tricca, Philip B" <philip.b.tricca@xxxxxxxxx>
In-reply-to: <20190614174556.GJ12191@linux.intel.com>
References: <cover.1560131039.git.cedric.xing@intel.com> <a382d46f66756e13929ca9244479dd9f689c470e.1560131039.git.cedric.xing@intel.com> <b6f099cd-c0eb-d5cf-847d-27a15ac5ceaf@tycho.nsa.gov> <20190611220243.GB3416@linux.intel.com> <8d99d8fb-a921-286a-8cf0-cd522e09b37c@tycho.nsa.gov> <20190614004600.GF18385@linux.intel.com> <960B34DE67B9E140824F1DCDEC400C0F65504665@ORSMSX116.amr.corp.intel.com> <20190614174556.GJ12191@linux.intel.com>
User-agent: Mutt/1.5.24 (2015-08-30)

On Fri, Jun 14, 2019 at 10:45:56AM -0700, Sean Christopherson wrote:
> The state tracking of #2/#3 doesn't scare me, it's purely the auditing.
> Holding an audit message for an indeterminate amount of time is a
> nightmare.
> 
> Here's a thought.  What if we simply require FILE__EXECUTE or AA_EXEC_MAP
> to load any enclave page from a file?  Alternatively, we could add an SGX
> specific file policity, e.g. FILE__ENCLAVELOAD and AA_MAY_LOAD_ENCLAVE.
> As in my other email, SELinux's W^X restrictions can be tied to the process,
> i.e. they can be checked at mmap()/mprotect() without throwing a wrench in
> auditing.

We would also need to require VM_MAYEXEC on all enclave pages, or forego
enforcing path_noexec() for enclaves.

Follow-Ups:
- Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
  - From: Sean Christopherson

References:
- [RFC PATCH v1 0/3] security/x86/sgx: SGX specific LSM hooks
  - From: Cedric Xing
- [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
  - From: Cedric Xing
- Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
  - From: Stephen Smalley
- Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
  - From: Sean Christopherson
- Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
  - From: Stephen Smalley
- Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
  - From: Sean Christopherson
- RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
  - From: Xing, Cedric
- Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
  - From: Sean Christopherson

Prev by Date: Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
Next by Date: Re: [PATCH v2] Add CONTRIBUTING.md
Previous by thread: Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
Next by thread: Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux
Index(es):
- Date
- Thread

[Index of Archives] [Selinux Refpolicy] [Linux SGX] [Fedora Users] [Fedora Desktop] [Yosemite Photos] [Yosemite Camping] [Yosemite Campsites] [KDE Users] [Gnome Users]